iOS 7.0.6 "Security Content"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| static OSStatus | |
| SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, | |
| uint8_t *signature, UInt16 signatureLen) | |
| { | |
| OSStatus err; | |
| SSLBuffer hashOut, hashCtx, clientRandom, serverRandom; | |
| uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN]; | |
| SSLBuffer signedHashes; | |
| uint8_t *dataToSign; | |
| size_t dataToSignLen; | |
| signedHashes.data = 0; | |
| hashCtx.data = 0; | |
| clientRandom.data = ctx->clientRandom; | |
| clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; | |
| serverRandom.data = ctx->serverRandom; | |
| serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; | |
| if(isRsa) { | |
| /* skip this if signing with DSA */ | |
| dataToSign = hashes; | |
| dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN; | |
| hashOut.data = hashes; | |
| hashOut.length = SSL_MD5_DIGEST_LEN; | |
| if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0) | |
| goto fail; | |
| if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0) | |
| goto fail; | |
| if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0) | |
| goto fail; | |
| if ((err = SSLHashMD5.update(&hashCtx, &signedParams)) != 0) | |
| goto fail; | |
| if ((err = SSLHashMD5.final(&hashCtx, &hashOut)) != 0) | |
| goto fail; | |
| } | |
| else { | |
| /* DSA, ECDSA - just use the SHA1 hash */ | |
| dataToSign = &hashes[SSL_MD5_DIGEST_LEN]; | |
| dataToSignLen = SSL_SHA1_DIGEST_LEN; | |
| } | |
| hashOut.data = hashes + SSL_MD5_DIGEST_LEN; | |
| hashOut.length = SSL_SHA1_DIGEST_LEN; | |
| if ((err = SSLFreeBuffer(&hashCtx)) != 0) | |
| goto fail; | |
| if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) | |
| goto fail; | |
| if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) | |
| goto fail; | |
| if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) | |
| goto fail; | |
| if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) | |
| goto fail; | |
| goto fail; | |
| if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) | |
| goto fail; | |
| err = sslRawVerify(ctx, | |
| ctx->peerPubKey, | |
| dataToSign, /* plaintext */ | |
| dataToSignLen, /* plaintext length */ | |
| signature, | |
| signatureLen); | |
| if(err) { | |
| sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify " | |
| "returned %d\n", (int)err); | |
| goto fail; | |
| } | |
| fail: | |
| SSLFreeBuffer(&signedHashes); | |
| SSLFreeBuffer(&hashCtx); | |
| return err; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This appears at first glance to be a copy/paste or merge failure of some sort, but the extraneous
goto fail;is disastrous.The internet's best theory at the moment is that this is the bug fixed in iOS 7.0.6. If this is true (it might not be, but it seems plausible), we should expect to see a patch for OS X very shortly.
(PS: Just in case this isn't clear: I didn't find the bug. I just put it up on github to see. Original code is at http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c?txt)